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(57) Abstract: The present invention is concerned with a method of, and apparatus for, detecting the source and movement of emails 
that are propagated by an email virus. The invention comprises a server configured to send outgoing electronic messages on behalf 
of terminals connected thereto and to deliver incoming electronic messages to the terminals, each terminal being accessed by one or 
more users. The server comprises: receiving means arranged to receive data relating to such electronic messages; analysing means 
arranged to analyse the received data in accordance with a specified criterion, so as to identify those electronic messages that satisfy 
the criterion; identifying means arranged to identify the destination of the identified electronic messages; processing means arranged 
to send a message to each of the identified destinations, requesting suspension of delivery of the identified electronic messages. This 
therefore allows suspect electronic messages (emails) to be identified, and recalled, or quarantined at a destination server, thereby 
preventing the spread of suspect emails as early as possible. The method also collates and presents email activity as a function of 
the position, within an organization, of the origin of an email. The email activity can be presented graphically, thus providing an 
enhanced user interface to email data within a company. In other words, awareness of movement of emails within a company is 
greatiy enhanced. This represents an improvement over the prior art, because it provides a faster way of identifying potential viral 
damage within, for example, a company intranet. 
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The present invention relates to methods of and ai,»,r=H , 
P«.pagat,on of electronic .mssages through a „etwori< a^h ' 
5 identi^ing email activity within an organisaL 

Email is the most v«rtclely used application because it 
-nethod Of transferrtng ^.for^ation. „s ability to 00^7 
seem-ngty independent of distance between l '"""^^ 

<*a.u^ thatmaKes en,ai, so attractK^e^^Lrtir^ T^' » »' •'•V 
10 positive manner - eg u. imo„„e a 

-sact-s. x^:j:zL:i7rji:::r ^-^-^ °' 

lua IS a piece of programm ng code usuaiiv Hie« • _. 
-mat causes some unexpected and usuLy undell T " 

ia --^--"^Ht is a^omatically spread to^::rmru.er:ll^^^ " 

transmission means for a virus te hw « . ""^P^ter users. The most common 

~ as soon as the/cTe ^ elttror"' " ^""^ - 

cause their code to e«outed ^7^:" " '^-■"-•ances 

Dr Solomons ™, gene^lly referred to as "an^ irar s„l , 

scan Incoming emails. Sud, softwa^ esL„T *° 

attachment, are detecU^^^:^,?;^ IT': ^"'^'^ ^ ''^ -™ 

behav.urofemails.«ana,.seTe™riXrc:rT^^^ 
30 musinevitably™.iesonso,.ee^„emar:r:;;r"^'"'^^'^°''^"-^»«-"'' 

Viruses, ^sT^' — usiy seen 

a^C, pubT^hed on the Bacltte r ^^^^^^^^ ^ — - 

computer viruses- (website addret !, : "^^'"^ °" 

35 h.*.W.bbc.co.uWt.h.sci«ect.tgggaM.stm. Osual. a Ij'^^ 
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form of a first part indicating the network delivery mechanism (e.g. http:// or file:// for the 
hypertext transfer protocol or file transfer protocol respectively) followed by the network 
address of the server (e.g. www.server Loom) suffixed with the name of the file that is 
being requested. Note that. In this example, such names are. for typographical reasons. 

5 shown with the 7/" replaced by "W")). 

One passage in the article states "anti-virus companies work to produce a 
'pattern' file that tells their software how to spot and stop the [malicious program]". A 
pattern file is a signature matching file. A further passage reports that "many anti-virus 
programs use mle-based techniques, called heuristics, to spot these variants". Heuristics 
10 are essentially Artificial Intelligence rule-based techniques that are used to estimate the 
probability that a piece of code is a vims. 

According to a first aspect of the present invention, there is provided a server 
configured to send outgoing electronic messages on behalf of temiinals connected 
thereto and to deliver incoming electronic messages to the temninals. each terminal being 
1 5 accessed by one or more users. The server comprises: 

receiving means an-anged to receive or generate log data relating to one or more 
traffic characteristics associated with electronic messages: 

analysing means arranged to analyse the log data in accordance with a criterion, 
so as to identify those electronic messages that satisfy the criterion; 
20 identifying means arranged to identify the destination of the identified electronic 

messages; and 

processing means arranged to send a message to each of the identified 
destinations, requesting suspension of delivery of the identified electronic messages. 

The log data may relate to the volume of data passing at a point along a 
25 data path or link in a time inten/al. in particular the volume of data originating from the 
same user or location in a time Inten/al. In particular, the log data relating to a target 
electronic message may indicate the volume of data or the number of messages 
originating (or received) from a common user, terminal, router or other topological 
position within a time inten^al. Conveniently, the log data may indicate the size of a 
30 message, as the message size is normally an indication of the nninimum amount of data 
sent by a user in a time interval. Preferably, the time interval is a time interval during 
which the taget message was sent or received. Alternatively or in addition, the log data 
may include an indication of the type or format of an electronic message, such that for 
example the number of messages of a given type or fomiat originating from a user in a 
35 time interval at a topological location can be ascertained. Thus, the term log data will be 
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an etec^nic m«s.ge ,s a «e, which is stored, for «<ampl,, oh a fite sen,er, and 1^ 

msssage'Trnrfra"! ""T '^'^ «'«'=^'"» 

ZTi! ™ ™' " •» '•te'^Wy those .h« satls^ 

m ' °' ~= ""^x* - Jan 

wheu»r me ema,. oon.a,ns plain ,ex,; whe.her i, ccnain, an attachment and if so v*a, 

n.pe 0, sttachmen. mere is; whether .here is a URL embedded herein and wh!.le 
15 ZT" '"'"'^ "^^-Tpo.n.a.y suspilL 

A specified criterion may be met when the log data relating to a target electronic 
n>essa^ indicates that a mresho« number of electronic messages and/o a 
data v^ume ong,na.es from a common terminal or user, in a time Interval durtr,g whil 
*eta^t electronic message was sent. This will allow bursts of data flow which cT^ 

Preferably the sen,er includes first means arranged to receive a signal identlMng 
or no. an «en««ed electronic message is rolated tc an electronic Issage 2. 

rr:r."~'~™'--'''---'»-'----eK..he 

in^lo ,• """r''*'' "'^ ^^"'^^ '"^'"''^^ =^cond means arranged to receive data 
indicatve of the success or etherise of me suspension request In the event tLtZ 

IZ^ °' =ald electronic message This 

could ,™«,lve sending a message to the destinations .ha. have been conflm,ed to hsl 
race^d a virus, and causing the sa« server to deiete such an electronic me™ agl 

virus a«, the suspension request is unsuccessful, the second means is a'ar,gJ!r,o 
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trigger operation of identifying means and processing means mnning on a server 
corresponding to the destination of the identified electronic message. 

Consider the scenario where terminal A. connected to sen/er SI and running 
email client software on behalf of user U1. sends emails to user U2. registered with 
5 terminal B. which is connected to sen/er S4. Further, assume that servers S1 and S4 are 
configured in accordance with the invention. In the event that the analysing means finds 
that emails sent from U1 to U2 satisfy the specified criterion and are also identified to be 
a virus, server S1 will monitor the result of the suspension request sent to server S4. If 
the suspension request sent to email server S4 is unsuccessful, the second means 
10 running on server S1 will send a message to email server S4. invoking operation of the 
identifying means and processing means running thereon, in respect of any emails sent 
from user U2. 

Preferably, In the event that a received signal identifies an electronic message 
not to be a virus and'the request is successful, the second means is an-anged to permit 
15 delivery of the identified electronic message. Thus, in the context of the example above, 
in the event that emails sent from U1 to U2 are not identified to be a virus, the second 
means mnning on S1 sends a message to sen/er S4. permitting delivery of these emails. 

Thus in a preferred arrangement, there is a plurality of the above-descnbed 
servers, and at least one of them comprises: 
20 receiving means arranged to receive a request to suspend delivery of an 

identified electronic message; 

polling means arranged to check whether or not the identified electronic 
message has been delivered, and if it has not. to block retrieval thereof by a respective 

terminal connected thereo; 
25 wherein, in response to receipt of a said request, the polling means is an-anged 

to check delivery of the identified electronic message, and in the event that it has not 

been delivered, to block retrieval thereof. 

In the context of the example given above, sen/er S4 would implement this 

functionality. Sen/er 84 would also include deleting means an-anged to check whether 
30 retrieval of the identified electronic message has been blocked, and. in the event that the 

Identified electronic message is both identified to be a vims and has been blocked, the 

deleting means deletes it. 

Suspension of delivery can take many fomis. and in a preferred arrangement, 
involves blocking retrieval of an email by user U2. Blocking retrieval can be effected by 
35 either changing the permissions of these identified emails, so that the user U2 cannot see 
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company. In other words, awareness of movement of emails within a company is greatly 
improved. This is an improvement over known email virus Identification methods, 
because it provides a faster way of identifying potential viral damage within, for example, 
a company intranet. 

5 According to a third aspect of the invention, there is provided a method 

corresponding to the functionality provided by the server. 

Further aspects of the invention are provided as specified in the appended 

claims. 

In the following description the terms "host", "intranet", "client", "device" and 
1 p "email data" are used; these are defined as follows: 

"client" - a requesting program, computer, or user in a client/sen/er relationship; 
"host" - any computer that has two-way access to other computers In a network 
such as the Internet or an Intranet; a client is a particular type of host. 

"intranet" - a'private network that is contained within an organisation. It may 
15 consist of many interlinked local area networks and also use leased lines in the Wide 
Area Network. Typically, an intranet includes connections through one or more gateway 
computers to the outside Internet. The main purpose of an intranet is to share company 
information and computing resources among employees in the organisation. 

"device" - any machine that is operable to receive data delivered over a 
20 network. Examples of devices include hosts, clients, routers, switches, and sen/ers. 

"email data' - packet data that has emanated from an email application running 
on a first device en route for an email application running on a second device. Email data 
includes overhead data, which enables the packet to anive at its destination, and is 
retrieved from the header part of a packet. Specifically email data includes at least 
25 protocol type, source address of packet, destination address of packet, size of payload of 
packet, and type of payload packet (which can be used to determine whether there is an 
attachment). A packet is identified as an email data type from examination of the protocol 
part of the header. The phrase "email packet data" and "email data" are used 
interchangeably in the following description. 
30 - Further aspects and advantages of the present invention will be apparent from 
the following description of preferred embodiments of the invention, which are given by 
way of example only and with reference to the accompanying drawings, in which 

Figure 1a is a schematic diagram of a network, within which embodiments of the 
Invention operate; 
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Rgure lb is a schematic diagram of nr«.« 
conventional email server; Processes and parts constituting a 

^ the inven^on;" ' ' ^ "^^^^^ — -s of a virus detector according to 

' accordingT::em:o:ire:to;^^^^^^^^^ ^ '•^-•^•"^ email t,eHa..ur 

.ependepnllLr rrer^::^^^^ emai. tra.c in 

10 Virus deteT I ~ " ^ —ted hy the 

Figure 6 is a flow diagram showing further asoerf. of 
dependence on the behaviour outiined in the method ^^^Z^^'"^"'^' "^""^ 
Pi.ure3. ' --^'•ca.e.es_en,^^^^^ of the output of one of the steps sh^ 

" R0ure4'"^^ ' ''^ ^ output of one of the steps shown in 

tHevlnis^rrl;::?^^^^^^^ 
20 to a seconre:^^^^^^^^^ """^"^ "^^"^ ~ - -aging emai, traf«c according 
accordingToTsJllVe::^^^^^^^^ "^""^ ^"'"^ — - --ging email traf«c 

Figure 13 Shows a further embodiment ' ' 

Ane^.Lchr:rh::::;~:„r"-^''- ------ -reia 

30 function,, networics. one of which « ^ ^ '^'^"^ '""^<^-l^ ^ Mty of 
separated into a plurality Of logica, email dl ^ "^tworlc can be " 

server machines and ciiTn. ma'chTnes Cu^I^nr " T """^ ^ ^"™«^ 
single togical email domain. """""rcating therewrth. Rgure 1a shows part of a 

The netwoik N1 could be a rn™, . 
3. ^ercon^ecte. .oca, ^a .etwCs retir^'r^^r 
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Of Which is Shown, for clarity), which route data to devices in the network in a manner 
known in the art and host machines H1 ... H7. which send and receive data, including 
email data, in a manner well known in the art. In the Rgure, only a nominal number of 
host machines H1 ... H7 are shown for clarity. The network N1 additionally includes 
several email sen/ers S1...Sn (only 3 shown for clarity), which receive and fonvard email 
from and to host machines H1...H7 or to and from other email sen/ers. and provide 
temporary storage of emails that are in transit to another destination. Each email server 
SI stores details of emails passing through it in a log file LF,The dashed links shown in 
Figure 1a indicate email traffic passing between email sender and host machine; for other 
communications, each of the host machines H1...H7 may communicate directly with the 
router R. 

As shown in Figure 1a. a public land mobile networtc (PLMN) (e.g. a GSM - 
compatible digital cellular network) N2 is connected via a gateway G to the IAN N1 . A base 
station B1 of the PLMN provides a ce'il in the vicinity"^ temiinal T1 . v^mich is enabled to send 
and receive email messages (typically by having an email dient running thereon) to hosts 
H1 ... H7 in the networi< N1. Since temiinal T1 can send and receive emails in the same 
manner as hosts HI ... H7. for the purposes of the following description it is considered 
to be a host. 

Figure lb shows parts of a conventional email sen/er SI. An email sen/er (also 
known as a messaging sen/er) comprises processes adapted to attend to both outgoing 
and incoming email requests. The email server comprises means S01 for receiving and 
processing incoming email requests, which reads the destination address on incoming 
messages and delivers them to an appropriate mailbox stored on the server Si. Means 
SOI provides what is commonly referred to as "destination sen/er- functionality. The email 

5 sen/er SI also comprises means 503 for sending and processing outgoing email 
requests, which is configured to interact with other sen/ers. or nodes, through which a 
message is passed, until the email reaches the networic corresponding to its destination. 
Means SOS provides what is commonly referred to as "dient sen/er" functionality. 

An email sen/er can thus act as both client and destination sen/er. Each email 

0 sen7ei^S1 has a message store ST1. which comprises- mailboxes MBi for each host Hi for 
which the email sen/er S1 acts as dient sen/er (in the case of sen/er SI . hosts H1 ... H4) . 
When a message arrives on the sen/er S1. the receiving means or logging means 801 
identifies the redpient and stores the message in the mailbox con^sponding to the 
redpient The message is copied to the host when the redpient clid<s on the message. 
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35 



previously seen email data in or^er to kte^ . T ^ ^"^'^ "^"^ 
proflles, each of which is Indica o, p^^^^t " " " 

Wo*, 'aicarive of particular type of email behaviour When new »m»ii 

the .elationship between email sen,^ 7 . ^ " <" 

— on.:o.scaia;erair:eo:;3S^^ 

snapshot Of the client/severs can be visualised T. ' ""^ ' 

m.*=. I. that classiflcaticn can ^ad to ,2^,^^". ^'^'"^ * 
.0 *b.y Classify unseen email data ^ .t^^! 7"'"^"'"'""'''''^ 

administrator to the presence cf a v;„,» T ""'^ ^'^ ' 

me presence of a virus, and cannot stop the spread of the vims 

Thus although the approach disofosed in PCT/GB2002A)O37O« - . . 

iri~^=~"-'--'-- 

... vir:::r:rr :~rr:: zr ^ -^-^ 
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,n particular, «nbodimen.s of the Invention provide a user interface to email data within a 
company, thereby presenting information on the movement of emails within a company ,n 
"Is of *. oHgm o, U,e email. One advantage of the approach described herem ,s that 
email acSvity within ar, entire company (comprising upwards of 120,000 employees can 

S be viewed on a single screen. Secondly, since the origin of an email can be traced to an 
employee (who has a well defined position within a company). infom,a.,on reiatng to the 
sector wHhin an organization from which emails are emana«ng can easily be retneved. 

Thus the invention represents an improvement over the current state of the art 
by vwue of the fact that known email virus detection methods do not parse emad log files 

10 and represent them in temis of employee/company stnjcture. 

r^,on,i«« of en Tviirnenls of the invention. 

Embodiments of the invention can be applicable to scenarios where users can 

■ belaiegorise^Tln terms of their position within an organisaUon, such as a company. A 
15 cootpan, can be organised into organisational units, and each employe. ^J^^'^ 
to one of the organisational units. Such organisational units are referred to as OUC , 
meaning organisational unit code, in the following description. 

Elntlally, embodiments may analyse previously seen email data (in the form of 
email log fHes, stored, e.g. In email se«er log files LFl) and identify hosU that are sending 
uncha^eristically large number of emails, and,or emails of a par«cu.ar ^ an^^ 
si^e. in this way, on the basis, a. least in part, of the temporal dlstribu^on ^J^c^ 
mrough or from a sen,er (or a plural«y of severs), the presence of a vrois can be ^err^ 
For any or all hosts so identified, the position of the associal«i email user, »»th 
respect to the organisaUon within which the user is located, is identified, and an identifier 
25 lder,.if,ing the number/size«ype of emails sent by that use. is displayed on a bespoke 

^"'"'"sr;tenr emails sen. from the Identi^ed hosts are .Cled, or temporarily 
cuarantined, whilst an example of the email is retrieved from the email »"er(wh,ch >s 
me 'Client server" of the identified host) and analysed by one or some of the above 
30 mentioned K„»«i .email virus analysers (e.g. by sending the virus to Symantec™ analysis 
Tnue (dossed below),. The recalling feature thus has the bene«t of hal«ng the spread 
Of the vims. Preferably, if the results of the analysis show the emails to be vimses^ma 
scaled «nails are then deleted. Conversely, if the emails a« not viruses, the recalled 
emails can be re-sent. 
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d.ag„™ Showing steps carrte. ou, by .he 'L l^!' ^"""^ 3 a™, 4 a« 
5 inference means for infem„g ,he „ Jence I " ^"^^ °^ 

d-recaon of arxow. indicate L^ZTZ^^^^T 

Frgu,, 4 indicates inpu. of data. Tt and a ""T"'' "~ 
grapWcal representetion „, detected emaii V^ . ' 
Showing further steps earned I "^""^ ^ is a ,Io« diagram 

10 --ingemaiissus^cted^n::^!:::" '"^""^ »<> 

Turning firstly to Figure 2. the vims detector 200 r,.~ 
such as that Shown in (Hgures la and 1b ,n Vl^ °" ^" ^ ^1. 

processes descni^d aboL L e^i s f '° ^""^'"^^ 

<CPU, .0,, a n^^ry un^L"! a„Xl^Z. d v^^.r-^^^'^'^ ^ 
15 to the network N1. storage 207 and . . * ""^^'^^ ^05 for connecting the server S1 

controi and coordinate iow c^;!: : ^rrsV C ""^r 

known in the ait • ^ configuration is well 

THeseprrrrrr:r::rr^°™°'^"'--^------ 

20 programs include a program Zltm ""^ 

-ta oog data,, .yp4 a::s:r:rereret TT.r^ ""^"^ 

SI or from processes embedded In «,» T ^ ' associated with t)« senrer 
<.a*a (not Shown, T^tTZZTZ T°'"^'°^'-"'^' '^*°<>'^-^ 
gathered data in order te TT ^ '"'"^ 

as --er^yp.s.eofemaiis.and ali"' a7 T"" 

identified hoste in the context of an or„=„ . "''^ -^P^sent such 

217, Which attempts to -elTem^: ^^h " !" ^"^'^^ P"^«n, 
Preferably «,e« „ , T,^,^""' clients. 

destlnat^n email sen«r. Crl"! ^^""^ " ^ ~- - a 

30 of the descnption. » <tesoribed at the end 

.ven«on":,.rwrdZ;r:rsr^^ 

- e, and the schematic dlaglni™ It ^ f ""^^ ^^"^ ^' ^ 

,''.**'™' *""'^"™^'"»8''h«'*n9 program 21, accesses 501 •, , 

35 LP. and ^nt^es SOS ^ ema„ accounts (hereinafter rr^^^rerariT: 
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iden«fie,s (ES1,» from which emails have been sent. Typically me log We LF1 will s^re 
details of emails sent wHhIn a network, such as an intranet, or a Virtual Pnvate Network 
(VPN), within a certain time peHod. Assuming that the virus detector 200 is operaUng 
Within a company intranet, since Individual email acccur^ts are associated with ,nd«,dual 
5 users, each email sender identifier ESl, will be associated with an employee (user). An 
email sender identifier ESI, can l» a user ID or a conventional email address. 

At step 505, the processing pmgram 213 selects a first email sender idenffler 
ESI, and Identifies 507 the organisational unH (OUC) corresponding to the selected ema.l 
idenWler ESI, (that is the oiganisational unit conesponding to the user having ema.l 
10 identifier ESI,). Such Identlflcation may Involve queo-lng a database in respect of the user 
corresponding to email identifier ESI, so as to retneve a data identifying the un« to wh,ch 
he/she belongs. 

At step 509. the processing program 213 creates a first sender ema.l list L„ and 
* the user's dialls. Including oOc identified at step 507 and email sender account deta.ls 
15 (including ESI,), are sto.^ in the list L. Next the processing program 213 parses ema.l 
log file LF1 in order to calculate 51 1 the number of destinations, each having a respective 
email Identifier (DEU). that have been sent emails from the sender's email account ESI. . 
Then for each of the destination email identifier DEI, the number, size and type of emails 
sent thereto are evaluated and saved to the list L, (step 51 3). 
20 Once the emails sent ft-om the first email sender identifier ESI, have been 

analysed and the results of the analysis saved to an associated list the processing 
program 213 selects 505 the next email sender identifier ESIa from the log file LF1 and 
repeats steps 507 - 513 in respect thereof. These steps are repeated until data in respect 
of all of the email sender identifiers identified by the gathering program 211 at step 503 

25 have been analysed. 

Thus steps 501 - 513 are parsing steps, the output of which is one or more lists, 
each comprising details of emails sent from an email account, together with data 
indicating the position, within an organisation, of the user associated with the ema.l 

account. , * ♦ 

-30 Subsequently.-at step 515. the_processing program 213 analyses the content of 

each of the lists L, in order to identify email senders for whom a certain percentage of 

sent emails are of the same size, and/or are of the sanne type (the size of emails .s not 

always used to identify viral activity because a clever virus could easily generate vanable 

Sized replications appending, for example, randomly generated data to an email before 

35 sending It). This percentage could be expected to vary depending on the level of 
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paranoia. By "type- of email, we mean whether th» . ■ 

contains an a«achn,en,, and . so, whaC^Jr ^ZL! ^ ' " "^^'^^^ " 

U.L e..e..e. .erei. an. ^ ^ ero^.^ " ""'^ " ^ 

SIS. anr L^: ir — :zi:e^r « - 

e^i, behaviour proffle for .he user ^^^JT!^' " ^ ^ ^ 

^ha^ourpro«,en,ay.a.e«,efo,,owi,«,Z A" en,ai. 




method (noTl^^WultT " "^^*" ^ '--'"9 

include ,e,nfo™.em .earning me«^ °«^- 

/»esea«:/, -DemoMos- Athene eJ' "^"^"^ ^enfra for Scfenf^ 

20 very least, to enter details of times at wh'! h Tk ^ "'^ 

emails, and the «mes a, which Z^.ZLT::::^^ " ^ °' 
Of people, if a p^flle is created u^ng at^e. ■ ' ' 
receives, as inp.^ data from the email ."n^r? "'^"'^ '^^"^ — 
Bme Slots Within each day - e g data l™ "'"^'^'^"9 to a day of the week and 

26 ,0:O0 slot-whe^upon » Us a^rr ' """""'^ «^<^ ' 

the day conespondlng to each day and timeslots within 
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At Step 519, in the event that the number of emails recorded in a list does not 
correlate (within certain bounds of uncertainty) with the expected number of emails, and if 
the size and type of email satisfies the criteria listed in respect of step 515, the number of 
emails sent is sent 521 to the visualising program 215 for display. 
5 At step 523, the visualising program 215 is aranged to present information 

graphically via a graphical user interface (GUI), specifically in response to receipt of data 
from the processing program 213. Referring to Figure 5. the visualising program 215 
creates a window 501 showing a two dimensional representation of a company structure, 
where each unit within the company is represented by a rectangle 503. and the 
10 rectangles are an^nged in. e.g. alphabetical order, from top left to bottom right. When the 
visualising program 215 receives data from the processing program 213, ft converts the 
data received at step 521 into a fonnat suitable for representation (described below), 
identifies which of the organisational units the received data conresponds to, and modifies 
the window 501 at a location con-esponding to the identified organisational unit (also 

15 described below). 

In the event that a company is organised into numerous organisational units, so 
that it is impossible to represent each unit on a single screen, the GUI could connprise a 
plurality of windows. For example. If an organisational stmcture were hierarchical, each 
window could correspond to a level in the hierarchy and selection of a window could be 

20 provided by menu options, or similar. However, in-espective of the exact fomi of the GUI, 
when data is received from the processing program 213. the visualising program 215 
identifies, in the window being displayed, the organisational unft that the received data 
relates to. and enters data at a location conresponding to the identified unft (part of step 
523). 

25 The data received by the visualising program 215 essentially identifies a number 

of emails sent from an email account. The conversion of data mentioned above invoh/es 
converting the number such ttiat ft can be represented graphically. Accordingly, at step 
523. the visualising program 215 nomialises numbers by the largest number received 
hitherto (or by a predetermined maximum), selects a colour depending on tiie normalised 
" 30 "value (e.g. 0.8 - 1.0 could be fed while 0.0 - 0:2 could be green), and paints the- 
rectangle corresponding to the identified organisational unft the selected colour. 

At the same time, and independent of visualising ttie email behaviour as 
described above, the virus detector 200 can control tiie spread of suspect emails. 
Referring to Figure 4. the recalling program 217 receives alert data (step 525). which is 
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indicative of email sender identifiers from which an uncharacteristically 'large number of 
emails have been sent, from the processing program 213. 

Subsequently, the recalling program 217 retrieves 527 at least one of the 
messages sent from these identified email senders. A copy, or a "sample- of messages 
6 sent by the email senders is stored locally, on the client sen/ers associated with the email 
sender identifiers, and is thus accessible by the retrieving means 217. (e.g. referring to 
Figure 1 a, if an email were sent from host H1 a copy of the email would be retrieved from 
server SI). A sample is sent 529 to a dedicated analysis centre such as the Symantec™ 
Antivirus Research Center (SARC) (at July 2002. suspect viruses could be submitted to 
1 0 SARC for analysis tliereof via a fomi posted at the following webpage: 

\\sen/ice2.symantec.com/SUPPORT/nav.nsf/docid/2000031615501 306. Usually 

such a request takes the form of a first part indicating the network delivery mechanism 
15 (e.g. http:// or file:// for the hypertext transfer protocol or file transfer protocol respectively) 
followed by the networi< address of the server (e.g. www.server l.com) suffixed with the 
name of the file that is being requested. Note that, in this example, such names are. for 
typographical reasons, shown with the "ir replaced by "W")). 

At, or around, the same time, at step 531. the recalling program 217 recalls ail of 
20 the emails sent from email accounts corresponding to the email sender identifiers for 
which data was received at step 525. The important point to note is that suspect emails 
are recalled as soon as possible; if it turns out later, in light of the results from the email 
analyser, that some of the recalled emails were not vims related, then those emails can 
be re-sent. 

25 It could therefore be said that the disadvantage of the recall feature is late 

delivery of those emails that have been misclassified as suspicious. However, this is a 
minor inconvenience compared with selective filtering based on outdated knowledge of 
email viruses; as experience has borne out, when hitherto unseen (and thus not 
suspected) emails are allowed to promulgate through a network, the network can be 

P^;^ys®d- Tl^^s- a slight delay in dellvery_fora.minority of cases is considered to be an 

acceptable disadvantage. 

The recall process performed by the recalling program 217 is now described in 
more detail with reference to Figure 6. At step 601. upon receipt of a first list L,. the 
recalling program 217 selects 601 a first destination identifier EDI, from the list Li'and 
35 looks up 603 an ennail sen/er con-esponding to that destination identifier EDI, (i.e. the 
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email server that has mailboxes corresponding to destination identifier EDIn). When the 
embodiment is mn in association with Microsoft™ Outloolc™. this lookup typically 
involves accessing a so-called "Global address book", where each user is listed, together 
with an email server corresponding thereto. 
5 The recalling program 217 then sends 605 a recall message to the identified 

server, whereupon the server checks 607 whether the email being recalled is still stored 
thereon (i.e. whether it is still in the mailbox), or whether the message has already been 
copied to the host of its intended recipient (EDIi). 

Microsoft Outlook™ already offers a "recall" facility, which can be activated from 
10 the email client mnning on a host Cun-ently an email can be recalled only if its recipient is 
logged on and has neither read the message nor moved it from the email Inbox. In known 
systems, the software enabling the recall functionality is only implemented on a host 
machine, partly because recalling of emails is perceived to be a personal choice. 

In comparison, the virus detector 200 can recall messages whether a user is 
15 logged on or not. by virtue of the fact that the recalling program 217 is invoked from an 
email sen/er rather than from an email client. Moreover, unlike current Microsoff^"^ 
Outlook™, where each user can only control emails sent from his own email account, the 
recalling program 217 can send messages in respect of a plurality of email sender 
addresses. This is due to the fact that the recalling program 217. mnning on an email 
20 sen/er. is unconstrained by individual user pemiissions, and can effect "mass recall" of 
suspicious emails. Thus, in light of current use of the recall facility, effecting recall from an 
email server is a surprising feature of the embodiment 

A protocol that could be used to recall and respond to receipt of recall messages 
is the Messaging Application Program Interface (MAPI), which is a Microsoft Windows 
25 program interface that enables e-mail to be sent from within a Windows application. MAPI 
can be utilised in embodiments wherein the vinjs detector 200 is a windows application. 
Alternatively, the recalling program 217 could send and receive messages using Remote 
Procedure calls (RPC) or TCP/IP. which is an Internet Protocol transport layer protocol. 
When the vims detector 200 is written to mn on the Unix™ operating system. Simple Mail 
30 Transfer Protocol (SMTP) could be used to exchange messages between email servers 
and clients and to send messages to sen/ers. and Post Office Protocol v3 (POP3) could 
be used to retrieve messages from an email sen/er. Other, bespoke protocols, which 
provide the same functionality, could also be used. 

In the event that the suspect email has not yet been copied to the email client 
35 mnning on the host machine, the identified sen/er sends 609 the said email back to the 
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«^U.ng progr.. 217 (using MAP,,; however, „ «,e suspea email ha, a,„ady been 

The recainng program 217 mairtains a raconl of the success or olhenlse o, 
«can,ng the emails (s,ep 533, Bgure 4,. Once ^„«s o,«. ema„ viru, a^^ave 

1 0 T:z::^r::^zT:::r:: ' ^""-^ "--^ ^ '--"^^ 

■ I*"" successfully recalled the 

reoalnng program 217 causes the emails to be «.sent 537. Clearly „ L rec^ Z. 
unsuocessft.. there Is no need to recall them and no n,rther ac«on is tal! 

15 r "» -a«s have been su^ ,y- 

16 deletes 539 them. For those emails for which the ^cail was unsuc^^^^ 
alert .s sent (e.g. In the form of an email alert, at step «1, to the email admWstrLor 
induding deta,ls of the infected emails and their desthatlon identifie,B 

oo.r=.- '1*^ ""^ N1 has a Vims detector 200 

20 ZhTf I ^ ^ ' " «ch sen,er f^^ 

20 wh,ch a failure message was Identmed at step 535. When ™celved at a .especflve seoT 

2 a no«««tton could trigger operation of the «,us detector, as descitL aZTh 

reference to Figures 2 - 6, on that sen/er. 

Turning now to Rgures 7 and 8. examples of the output generated bv the 
visualising program 215 will be discussed In Flour. 7 f™.r ss™-*"! by the 

25 CH ric s'usseo. in Figure 7, four organisational units AE, BF, 

CH DE are shown in grey, indicating that one or more email senders withh each of these 
^ups are sending .rge numbers of suspected ema« v».ses. "nie numbers of e!^! 
emanating from senders within ail groups for which data was ,«eived at step 521 Ze 
^ normalised, as described above In relation .0 step 523, and ctassi^ed a " 

me next highest number o, suspicious emails have been sent are shown hatch«. Cse 
o^anisationa, units for which no suspicious ema»s hav» been recorded aie omitted Z 

::prgra;::~"""^— ^'--^---^^ 
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Rgure 8 combines output from the visualising program 215 «ith details of tt,e 
path that emails emanating from the senders were identified to !,ave taken through the 
network (the path is identifi«l using the WINS resolution of email server. desoni«d 
above Email servers S1 ... S4 are shovm separately from the v^ndow 501 so as to avoid 
5 confusion between the infbm,ation about email emanation, in teons of units withm a 
company, and information about routes taken by those emails. 

From the figure it can be seen that, in the case of emails sent from 
organisaUonal units AE and BF, .he emails only reached as far as the email servers 
corresponding to the destination of emails sent therefrom (S4 and S3 respect^ely). Th,s 
10 is due to the fact that the recalling program 217 successfully recalled them before they 
were copied to the email client of the recipient However, in the case of organ-saUonal 
un» GH. emails emanating therefrom were not successfully recalled, and they were 
copied by email sen,er S3, to the emai cUents of their intended recipients (who are ,n the 
' or^artsational units GZ. HW. RE. VI shown in Figure 8; paths shown as dotted linesy 
15 Turning now to Bgure 9. the visualising program 215 can also be adapted to 

display details of the email sender Wentiflers (email account) from which the suspe<* 
emails have originated. The foregoing descripUon has descnbed identrfying the 
organisational unit With Which these ems. senders are associated; me Window created 

the visuansing program 215 can indude nnenu options, and/or link certain funcfonal,^^ 
20 with mouse did<s. When the visuaUsing program 215 is a windows applK:at,on. such 
functionality is provided by Java Foundation Classes (for lnfonnatk.n on wdting w,ndov« 
applications in Java, the reader is referred to -The Java™ Virtual madnlne specdicabon 
sun Microsystems Chapter 1.2. Undholm. T.. Yellln, F. 1999). Acco«.in3ly. ea^ 
rectangle 503 on the window 501 can be associated with display obiects (e.B. a dialogue 
25 box) so that When the user clicks with the right button on the mouse over a rectar^le 
901. certain Ihfonnation is displayed, in one anangement. the visualising program 215 
can be ananged to display details from eaot. of the lists U that were received at step 521 
in a dialogue box, as shown in Figure 9. 



30 Second embodiment ,-. 11 

A second embodiment will now be described with reference to Figures 10. 11 
and 12 The second embodiment is generally similar to that of Figures 2 to 9 such that 
like parts have been given like reference r^umerals and will not be described further .n 
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second embodiment, instsart r^f « 
program 217 sends a message .o JT^^ '"^ '^^ -caHIng 

quarantine process Involves preven^^l c °" The 

« '"-pe-ve.aii.oxun.irL^Tr^':::::-^^ 

Thus In me second embodiment 

processing, v.„a,lsln,,™ca.Hn. a!:^r '"^"^^ ^ 

219. a recalling p^gran, 215 of one vi Jde^HT """^ 
10 operates w,th a restraint^ p™g„„ 2,9 0,^!^^ " ^^"'^^ SI, co- 

-ver S2 - l.e. tne en,al, s^rvr^ "T^ "^"^ "^"^ °" ^ 

have .>een sent.to a plu.,^ Cell^t^r ^^^^ 

-rver „|„ compel Ja pL^rof '1"'"'^ ^''^ """'"^ "-^ 

on a ™spec«ve email sen«r. - -^I^^S Proaran,s219. each runni^ 

1« The quarantine process is now described with „r 

and 603 progress as described for ,(« r,r^^. " '° "^"^ ^'^P' 601 

a nr. list L„ the recaliin, pro,.„ ^r ^Z^: 'T ^ ^'^^ ' -^'P' 
•he IW L, and Identifies 603 an e™„ ^J^' ' EDI, fron, 

EDI, (i.e. me email server that has rZ^ " '""""^ '° 

20 EDI.). "'"""■'^ ""responding ,0 destination iden«fier 

■nie recalling program 217 then send^ inn< 
contains data identltying the suspect emails ,0 ,11 ' "^"^ "^"^^^^ ""^'^ 
program 2,9 running on the ide«L ^l^^J^ ^^^"^''^ 
sending server are stored mereon or wheth.rr *™"^«"a from the 

S host of Its intended recipient (EDy ' ^'"^"^ ^ ""-^ *<> 

In the event that one or more of th««« 
recipient. «,e restraining prog«m2,9 remo^Ttbet'n ""'"^ '° *^ 

and stores It elsewbere on tt,e sen-sr In 2 '"^^^ -"^ilbox, 

-e ^plen, the restraining ^^L' ".'I':'™"' '^^/"^•"•-^e has .>eer, copied to 
program 217 running on the sending email ""^'^^^ '^^"'r'a 

219 could send a single responseTrsr^ca;"^^'^' ' 
emails that have been copied ,0 tl,err^ T '''' °' >he 

restraining messages. ■'"Pients, when I, has 

processed all of the 

This process (steps 601 - inn«;\ . 
each list L,. destination identifier EDI, in 
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Once the recalling program 217 has received details of those emails that have 
been copied to their recipients, and has received the results of the email analysis, the 
recalling program 217 progresses as shown in Figure 11. For those emails that are not 
viruses and have been stored by the restraining program(s) 219. the recall.ng program 
5 217 sends 1103 a message to the or each restraining program 219. instnicting delivery of 
the said emails. 

For those emails that have been identified as viruses and have been stored by 
the restraining program(s) 219. the recalling program 217 sends 1105 a message to the 
or each restraining program 21 9. instmcting deletion of the said emails. 
10 For those emails that have been Identified as viruses, and which have been 

copied to their recipients, the recalling program 217 sends 1107 a message to the or 
each email sender, triggering operation of its virus detector 200 (i.e. triggenng the 
gathering program 21 1 running on the server identified at step 603 to perform step 501 )^ 
• " It may be expected that onc^ a vims has been identified, and .ndeed that the 

15 recipients of the vims have been identified, the steps 513. 515 etc. - of analysing the 
types of emails sent from the recipients are redundant, since the "carrier" of a virus is 
already known. Thus when the vims detector 200 is mn on the sen/er identified at step 
603. the processing program 215 merely idenfrfies those destination email i^^entifiers EDI^ 
to which the vims has been sent. Furthentiore the analysis steps (steps 527. 529. 534) 
20 are redundant, since It has already been established that those emails are vimses. As a 
result the only steps that have to be carried out by the sen/er identified at step 603, once 
the destination identifiers EDI, have been Identified, is recall or quarantining of the virus 
forwarded by hosts connected thereto. This also applies to the first embodiment. 

This therefore provides automated tracking of email viruses that have been 

25 copied to a recipient. 

m an alternative arrangement, the vimses could be analysed (step 534) on the 
email sender to which the suspect emails have been sent, and the restraining program 
219 could carry out the steps shown in Figure 11 without recourse to the recall.ng 
program 217 mnning on the sending email server. In such an arrangement, step 1005 is 
30 reduhdant.-while steps1103, 1105.1107 are run by the _ 
The second embodiment has an advantage of generating less traffic (because 
emails are not actually being recalled) than is generated with the first embodiment. 
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'n the foregoing description, it is assum^w fh ♦ 
•n a log file lf associated with an email ' ^'^^^ -^^^ed 

emai, serve., and each log «ie stored ^^^^^^^^^^^^^ ''^'^ ^ -"V log mes as 
^ has passed through its associated sender. °' f^^^c that 

^ In other anrangements. records of email tr^fr,. 

could be stored in a file. That file may be ZZ^T: """""'^'^ '^'^ ^^^^c 

the data traffic Is met. for exampll. when 1^ ^^'^ ""^^ ^ 

destinations. ""^^^ sent to a threshold number of 

AS a further altemattve ,o ,he al" 

200 be arranged to ou*u. data ,c ' '"^ ^ ''etector 

aoav,^, w«hln a ne^»d< N1 cc^j 5e visual L""" ^" ""^^ 

easier email administraBon. ^ wNch facilitates 

20 *""»<«nwn». shovm in Figure 13 =. „ . 

he. a araphica, user interface cTnlCr ^'"''^^"*^'^^^^ 
confin,,aaonins.,uc«on*heno„eormo,eZd "r- ~ " ' 

a-a". user wishes ,0 send, wh JZ^tn T "'^"^ '^'^ *» 

send authen^cation data ,38 towards a se^s ^ " "1 <o 

25 H, direcy or though a networtc can me le .hr^ *° 

Whether unusuaiemai, behaviour is genuine theL? -«a ,38 to chec. 

but valid emaii behaviour „,H be mistaken or T "'^ "™-al 

Partouiar me processing prog^m 2,3 can be Inw^ r~™' 
predetemiined criteria requiring conT^!" ^ ""als meeO™ fl,e 

30 a.v.»e.aiis a^enLr^r ^ "^-^ 

■no reduce-the risk nf o-r those emails. - _ _ . 

-~.ee ,3, pX: ::"XL'°;nr~"'"-----er 

P~de.en.ined criterion or criteria to ^ tn, T, , """" "^"^ 

confinnatlon instruction. The user wili preferabiv „1 k """^ '^"^^ 

« .nstrucon uniess the '^'n^n.r^ri ::^T^''Z'':::^'^''^ 
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cause ^^""7^^^':^3';' 1 for example w.en the user send, mcB 
The predetermined «*ena n, V ^^^^^ ^ ^, 

.han a ""^^ ^J^': .^Jjl, recipients as a tateh. or .he «,-esho« 

5 emans *--'^^^'2,Z^^ en«us sen. fron, .he user .ern,ina>, ,n parfcular «,e 

,0 nor.::rz:t:--n.H...he..^^^^^^^^^^^^ 

. ea.cu,a. ^ :^^::ZTJ:':Z:^::i o, one or ^re 

confirmation instruction from the user m pp ^^.^^^ 

. r.r:r-e™:nI.o.pn. .re...^ 

predetermined critena relates lo tt.e volume ox a „„„,,.^,.ertbytt»user. 
authen«ca«on date - conflm, me size o, *e ema„ (mo e o , ^ se„.^ 
The ser/er SI conneCed to me user tem„nal H1 '^^"^ ^ 
,0 data. »hich is stored in a user dateh^e ^l^^j::'j:Z 

processing P^gram 213 ninning on *e sen,er S1 „ ,^i„al. 

'originating from the tennina. H1. or in "^'^^'^-^-^TSZT^ 
me pn«essing program 213 inCuding a companson stage o°-P- 

me email t«hav.our w«h co^esponding ^""""J^^-^^'^lnes if the 
25 re.at.ng te that ema,1 .^havlour. The processing « ^^'^.^ ^,^,3 ^ 

3ent ema..s are genuinely sent b, the user, in „ «,e authenScaUon 

compared are slmpW the number Of emails sen. as a ba^ «.alj ^ ^ 

data in the user datebase 135 '^'l^^^Z. lZ^^^s .re^^^^ 
p.aetem,inedtole.^oe,JJ«^^^ 

" rar Zrat rcri.^ address or addresses to^iC the emails 
r^bL:s:,..andattemptetoreoallorsuspenddeiive.of.h.^^^^^^^^ .^^ 

The aumenttoa«on date is preferably sfored ,n me use dateb 
encrypted form, me p^cessor program ^ -X^arl ^TIT^ -en 

35 authentioaaon date, wmough a v»u8 email may be configured app 
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Tl' " ""^^ ^ '° "-e 3>*e«,caaon data, sine. 

' enter , "^^ " ' « may b. squired to 

enter a pas^o,, ^^^^^ .^^^^^ ^ the e^e„ p^^L 

may be conflaured to display a dialogue box for .he user ,o type ^ pas«J^ 

10 *«^3^ord data . no, stored on the ,em,i„a,, nor . « access«,le to .he ^,r^ 

2- ■ ye less ,,Ke,y that a v^s ^1, be able to trigger the authentlcaSon data to J! 
sent, and-lyetfunherreducethe risK the, a virus wl. propagate »om t.m,lna1. 

virus a„rh"""""'' I*-* fton, th. au«K.rs of a 

vrus, and hence may be more wldely disiiSinjiM and/or slmpter than person^ 

~ -mP-e. password may oon^iffoTtfi^ charairorZ ^ 

possrbly one or ^ characers, depending on comptexity o, a« vi,^ .^e III 
program is to be protected against. >« virus me e-mail 

A user ,em,inal having an exisHng emaN or messaging program mav 

dralog box orv^ndow having a button therein for the user to dice W>»1 piugT te 

send ema,. over a predetem^ined size or to a large number of r^dpients Ihe !^ " 
oblrged perform the additional acior, of registenng these emails as bulk marl thTgh 
me connn^ation bunon and,„ password. Each Hme a suspect numbert::^,:^' 

30 - - - - - — i. ^ 

The authenlication data may include the password data input by the user in which 

senrer. In one embedment, the password is simply induded in an email or the header 
an email intended for more than a threshold number of recipients ,he7 T 
35 configured to read me password and treat th. T *^ 

H «m)ra and treat the password as authenticaUon data if the 
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password matches password data stored in ^ sewer. Thus . .he j 
deceived by the sever from the terminal, the en,al. is treated as valKi. Th,s smpler 
Ihod Jt anows exls«ng messag.na softwa. to be used without n,od«ica*cn a„ow,ng 
re inventton to be mo^ eas.^ implemented. However, since in this en*od,n,en the 
Zr is neither invited nor o«M to con«m, that the emaU is valid, « "''^--^er 
«,at valid bulk emaHs v«ll be erroneously treated as virus ema.is by the server, 
Fur««m,o,e, «,is embodiment requires the password data to be stored on the se,ver 
This ,e<,ui,»nen. is no. necessary whe« the aforemen«oned piug-in us«i, s,nce the 
lUcatlon dau can be made irK.ependen. o, the password data, w,th the resu tha^ 
Tpassword daU can be upda«d without updating me sewer so*«a,e respons,b,e for 
reading and/or decrypting ttieauBienticatton data. -k^h =hnv» 

AS will be understood b, those skilled in *e an. me inven^on descnbed above 
may be embodied m one or more computer programs. These programmes can be 
conwned on various Wnsr^iisiSn- al-ior s.orage-mediums such as a floppy d.«. CD- 
ROM ormagne«otepeso«,a.the programmes can be loaded onto one or more general 
pZse Jputers or could be downloaded over a computer ne*»o,. using a surtat^e 

transmission medium. . 

unless the context clearl, requires othen«lse. ttuoughou. the descnpfon and the 

claims, the words -comprise-, -c^nprlsing- and the like are to be 

as opposed te an exclusive or exhaustive sense; that Is te say, >n «,e sense of ,nclud,ng, 
but not limited to". 
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CLAIMS 



IS 2. A server according to claim 1. including 

*e recueTa" T::: '"^'"'^ o,«„ success or , 

*lelion of the said electronic 

L«esr::r:r.eTj'3:ra: r ^ - ^ 

25 second means is ananoed .„ . • °" ""^ ^ '"fest is unsuccessful, the 
means running n 72^ IT":^ " P'^-ing 
^ssage. "n«pond«g to the desSnation of me idenflfled electronic 

30 --sl'Zrir^^^^^^ ^ed s.ns, 

3~ond.eansisan.n.edtope™,del.e.ofthe,:jn:reirn:~^^^ " 
5. A se^er accosting to an, one of p^„, 

flrs, storage for storing detail relating to such etecfonlc mess^es; 
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ftarther storage for storing a mapping .»*«een users and the organisational units 
^ :;r.n -Maying a .ura,^ o, images, eacH representa«ve ot an 
, ser-r is ar^nged, in use. suo. t.a. in response to a r.,ues. tor 

.atareta^ngtoauser^^^ . arranged to output data ident^g eieotronio messages 
^""^StZZ^ ^ arranged to output data «en«.y.ng w.iC o, .t,e 
. o---;---rrrr:ages that are ident«^ to sa«st, .e c^enon the 

r=i.Tr:.r:Vp^= 

electronic messages. 

A server acoor^ng to daim 5, «*ere.n, for those electronic messages that are 

and/or type of identified electronic messages emanating therefmm. 

7 A server according to daim 6, wherein the display means Is arranged to Insert a 

L bet^n the identified o,.anisatlcnal unit and the o,.anlsat^al unH co.e3pond,ng to 
the identified destination. 

Apparatus for delivering eleclronic messages, comprising a plurality of serve^ 
accord Jt: any one of the preceding d.m,. wherein a. .as. one of t.e servers 



15 



20 



25 8. 
a< 

comprises: 



"calving means arranged to receive a request to suspend delivery of an 

identified electronic message; ^\^Mrnn\r 
30 polling means arranged to chedc whether or not ^ .denffed elecU^n^c 

n^essage hasleen delivered, and If « has not. to bloclc «.Heval thereof t. a respect,ve 

'^""'"^ r::TZnse .o receipt of a ,a. request, the polling means is arranged 
.o d.d<lliv.ry Of the ide^ied eledronio message, and In the even, mat has not 
35 been delivered, to blocic retrieval thereof. 
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9- Apparatus according to claim 8. wherein the at least nno 

means for deleting an electronic message ^ J^..^* ^^^^^'"-'"de- deleting 

identifying that an identified electronr^ ss^^^^^^^ IT"" *° ^ ^ 

5 ti^e deletlr^g means is arranged to checkTeljrT " ''^^^^^^^ 

-sage has been Nocked, and if it has t °^ '-^-'^^^ «'«^-c 

«>■ Apparatus according to claim 8 or claim 9 • 
>^m^ elec^nte ^.^age is related to an el^^^nLt " 
10 electronic message has no, been blocked the *' 

number of electronic messages emanating from a user 

20 messages on Ja. o, rt^ir 'T. ^ ~ 

messages to the tem,inals, each tJ^Tjl 

"«hod comprising "™'"" "^'"9 '«=^ one or mora usen>. t,» 

receiving or generating data relating to one or more - 

^^"^ °' -ssages- and 

«'-«ver:!:e:r:r:rarr • — ~ 



3 

13. 



13. A method according to claim 12 inrf..w.„ 

..not an identiHed elec^nlc mess Z rl ':::r7 '""^ 

receiv.r>« ... electronic message virus 

receiving data indicat ve of the csno^ao^ x.. ' 

-n. that ^ received signs, -den^ an JLTorr 

is success.,, .r.ge„„g de,e„on o, Jr^rc::::^ ' 
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^. * loim 13 Wherein in the event that a received signal 

to which the users belong. ««ro«*»ntative of an organisational unit; 

. ™, ,n imaae corresponding to me Wertffied organisational units, 

.0..3.iderrrLror.e.o.:,or.^o.^..ede^n.n,ess.^^^ 

„ A.ett,oaaccord^.o.a,n,ia.».eceln-tHosee.^^^^^^^ 

— :::arr:r^^^^^ 

25 type of identified electronic messages emanating therefrom. 



15 



H«im 17 including inserting a link between the identified 

includes any one, or some, ot \y\^^ « 

number of electronic messages emanating from a user. 
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^ receiving date ™,allns ,o electronic messages sem by a user- 

receiving data identifying a mapping between users «nH «, 
to which the usere belong ^ ^""^ organisational units 

are identified to satisfy the criterion; onsmated the electronic messages that 

identifying, from the mapping which of th^ - 
to: and ^' ^""^ °^ organisational units the users belong 

"«ssagesen,anaUngfr,„auL ""-""^ «'»*0"lc 

20 

" ' "dn^^rja^rr ^-"^ - - - 

eacH.™i„.^3ccess::tro r:^^^^^^^^^^ - - -^-na.. 

means aoanged to generate log data reiatZ ToT^ """"^'^^ 

associated with electronic messL J 7 characteristics 

30 Cata in accordance 1 H^Il '° ^^'^ --ved 

messages that sa^styriC ^^^^nic 

messages, and, processing means 
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arranged to send a message to each of the Identified destinations, requesting 
suspension of delivery of the identified electronic messages. 

25 A server according to any of claims 1-7 and 23 -24. the server being arranged to 
5 ' receive authentication data from a tem^inal connected thereto, the authentication 
data being associated with one or more electronic messages, the server having a 
comparison stage configured to make a comparison between the log data relating to 
an identified message and the authentication data associated with that message, the 
processing means being arranged to execute a decision to send a suspension 
10 request to the identified destination of that message in dependence on the 
comparison made by the comparison stage. 

26 A server according to claim 25. wherein the authentication data is received in 
* encrypted fom,. the comparison stage being configured to decrypt the encrypted 

1 5 authentication data and to compare the decrypted data with the log data. 

27 A temiinal for sending and receiving electronic messages to and from a server 
according to claim 25 or claim 26. wherein the terminal has an interface, the interface 
having a user input for receiving send instructions to send one or more specified 

20 electronic messages to a server, the user input being configured to receive a 
confimiatlon input from the user to confirm the send instmctions and wherein in 
response to the confimiation input, the terminal is configured to send the speafied 
electronic messages towards the sen/er and to send authentication data assoaable 
with the specified electronic messages. 

28 A terminal according to claim 27 wherein the tem^inal is configured to detect whether 
a criterion relating to the specified electronic message is met. and to request a 
confimiation input from a user at the user interface in response to the criterion being 
met 

30 

29. A temiinal according to claim 27 or claim 28. wherein the temiinal is configured to 
transmit the authenticating data in encrypted form. 



31 

«aes, ine program being executable on a term.v.^i u • 

i„.«e me user .0 Inpu, a. «» use, WertaL , c^Jl . " 
confi™ me .end i™mK«ans: (d, upon ^cT" ' """7^*'"'" '° 

32. A carrier having an improvement computer Drnr,r«m H, • 

the send instructions; (b) only pemiit th. . *° "^^"""^ 

33. A carrier according to claim 31 or ?9 ■ ^ 

tran«,t^i« w ' authentication data is 

transmitted encrypted fomi. 

34. A carrier according to any one of claims 31 - 33 wherein th. . * 

-eon . eo...ed. .en e.ec^, . ^^TC ^1^;= 
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data as part of the confirmation instructions, and to only permit the terminal to 
sirXntication .ata once the password data has t.en input t>v the user. 

35 A serveraccord.ngtoanyofc.aims1-7and23-26,whereinthecriterion^ 

Hhe log data relating to a target electronic message .nd.cates that a 
Lrno. nurnber of electronic messages and/or a threshold data vo ume 
fror. a coalmen terminal or user, in a time interval dunng wh.ch the 
target electronic message was sent. 

.nnfiaured to send outgoing electronic messages on t^half of terminals 

"^'^slns ««an, a^anged .o send a massage .0 each o. «.e '^nSfied 
des«na«o^:«s^suspens.ono,de,,v,.o...e.aen«.ede^.™s^^^ 
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